Is This Bad Security?

ATrashScripter · September 9, 2021, 1:40am

So I’m making a sword script and an idea came to my mind that I do the debounce on the client and then sanity check on the server. Is this a bad idea?

Code:

Client:

local Hitbox = game.ReplicatedStorage.Swords.Hitbox

local tool = script.Parent

local player = game.Players.LocalPlayer
local character = player.Character or player.CharacterAdded:Wait()
local humanoid = character:WaitForChild("Humanoid")
local animator = humanoid:WaitForChild("Animator")

local lastActivated = 0
local cooldown = 1

tool.Activated:Connect(function()
	if os.clock() - lastActivated >= cooldown then
		lastActivated = os.clock()
		Hitbox:FireServer()
		
		--Code
	end
end)

Server:

local firedTable = {}

local function onPlayerRemoving(player)
	if firedTable[player] then
		firedTable[player] = nil
	end
end

Hitbox.OnServerEvent:Connect(function(player)
	if firedTable[player] == nil then
		firedTable[player] = 0
	end	
	firedTable[player] += 1
	
	--Code
end)

local timeSince = 0
local CHECK_INTERVAL = 1

RunService.Heartbeat:Connect(function(deltaTime)
	timeSince += deltaTime
	
	if timeSince < CHECK_INTERVAL then
		return
	end
	
	timeSince -= CHECK_INTERVAL
	
	for player, eventFiredTimes in pairs(firedTable) do
		if eventFiredTimes > 1 then
			player:Kick("Suspicious Client Activity")
			firedTable[player] = nil
            continue
		end
		firedTable[player] = 0
	end
end)

Players.PlayerRemoving:Connect(onPlayerRemoving)

I need thoughts on this one, it’s very important.

ItzMeZeus_IGotHacked · September 9, 2021, 1:45am

You can do the debounce on the table, and if the exploiter changed their debounce on the client, then you may handle their debounce on the server by spawning a new thread to handle it.

ATrashScripter · September 9, 2021, 1:46am

I made the debounce on the server to know which are spamming the remote events. But I’ll try that.

YosemiteMe · September 9, 2021, 6:21am

The debounce on the client is just window dressing, the important debounce in on the server, but I would not kick players because of it. It is entirely possible, even likely, that network traffic will result in the occasional back-to-back delivery of events.

Creeperman16487 · September 9, 2021, 8:49am

why dont you just do a debounce like normal in the server ,you could even do table debounce since its server sided